Lines Matching +full:forced +full:- +full:comms
1 // SPDX-License-Identifier: GPL-2.0-only
87 /* Elements in ovs_ct_limit_info->limits hash table */
111 switch (ntohs(key->eth.type)) { in key_to_nfproto()
157 return ct ? READ_ONCE(ct->mark) : 0; in ovs_ct_get_mark()
174 if (ct->master && !nf_ct_is_confirmed(ct)) in ovs_ct_get_labels()
175 ct = ct->master; in ovs_ct_get_labels()
179 memcpy(labels, cl->bits, OVS_CT_LABELS_LEN); in ovs_ct_get_labels()
188 key->ct_orig_proto = orig->dst.protonum; in __ovs_ct_update_key_orig_tp()
189 if (orig->dst.protonum == icmp_proto) { in __ovs_ct_update_key_orig_tp()
190 key->ct.orig_tp.src = htons(orig->dst.u.icmp.type); in __ovs_ct_update_key_orig_tp()
191 key->ct.orig_tp.dst = htons(orig->dst.u.icmp.code); in __ovs_ct_update_key_orig_tp()
193 key->ct.orig_tp.src = orig->src.u.all; in __ovs_ct_update_key_orig_tp()
194 key->ct.orig_tp.dst = orig->dst.u.all; in __ovs_ct_update_key_orig_tp()
202 key->ct_state = state; in __ovs_ct_update_key()
203 key->ct_zone = zone->id; in __ovs_ct_update_key()
204 key->ct.mark = ovs_ct_get_mark(ct); in __ovs_ct_update_key()
205 ovs_ct_get_labels(ct, &key->ct.labels); in __ovs_ct_update_key()
211 if (ct->master) in __ovs_ct_update_key()
212 ct = ct->master; in __ovs_ct_update_key()
213 orig = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple; in __ovs_ct_update_key()
216 if (key->eth.type == htons(ETH_P_IP) && in __ovs_ct_update_key()
218 key->ipv4.ct_orig.src = orig->src.u3.ip; in __ovs_ct_update_key()
219 key->ipv4.ct_orig.dst = orig->dst.u3.ip; in __ovs_ct_update_key()
222 } else if (key->eth.type == htons(ETH_P_IPV6) && in __ovs_ct_update_key()
225 key->ipv6.ct_orig.src = orig->src.u3.in6; in __ovs_ct_update_key()
226 key->ipv6.ct_orig.dst = orig->dst.u3.in6; in __ovs_ct_update_key()
231 /* Clear 'ct_orig_proto' to mark the non-existence of conntrack in __ovs_ct_update_key()
234 key->ct_orig_proto = 0; in __ovs_ct_update_key()
237 /* Update 'key' based on skb->_nfct. If 'post_ct' is true, then OVS has
261 if (ct->master) in ovs_ct_update_key()
264 state |= key->ct_state & OVS_CS_F_NAT_MASK; in ovs_ct_update_key()
266 if (ct->status & IPS_SRC_NAT) in ovs_ct_update_key()
268 if (ct->status & IPS_DST_NAT) in ovs_ct_update_key()
275 zone = &info->zone; in ovs_ct_update_key()
293 if (nla_put_u32(skb, OVS_KEY_ATTR_CT_STATE, output->ct_state)) in ovs_ct_put_key()
294 return -EMSGSIZE; in ovs_ct_put_key()
297 nla_put_u16(skb, OVS_KEY_ATTR_CT_ZONE, output->ct_zone)) in ovs_ct_put_key()
298 return -EMSGSIZE; in ovs_ct_put_key()
301 nla_put_u32(skb, OVS_KEY_ATTR_CT_MARK, output->ct.mark)) in ovs_ct_put_key()
302 return -EMSGSIZE; in ovs_ct_put_key()
305 nla_put(skb, OVS_KEY_ATTR_CT_LABELS, sizeof(output->ct.labels), in ovs_ct_put_key()
306 &output->ct.labels)) in ovs_ct_put_key()
307 return -EMSGSIZE; in ovs_ct_put_key()
309 if (swkey->ct_orig_proto) { in ovs_ct_put_key()
310 if (swkey->eth.type == htons(ETH_P_IP)) { in ovs_ct_put_key()
314 orig.ipv4_src = output->ipv4.ct_orig.src; in ovs_ct_put_key()
315 orig.ipv4_dst = output->ipv4.ct_orig.dst; in ovs_ct_put_key()
316 orig.src_port = output->ct.orig_tp.src; in ovs_ct_put_key()
317 orig.dst_port = output->ct.orig_tp.dst; in ovs_ct_put_key()
318 orig.ipv4_proto = output->ct_orig_proto; in ovs_ct_put_key()
322 return -EMSGSIZE; in ovs_ct_put_key()
323 } else if (swkey->eth.type == htons(ETH_P_IPV6)) { in ovs_ct_put_key()
327 memcpy(orig.ipv6_src, output->ipv6.ct_orig.src.s6_addr32, in ovs_ct_put_key()
329 memcpy(orig.ipv6_dst, output->ipv6.ct_orig.dst.s6_addr32, in ovs_ct_put_key()
331 orig.src_port = output->ct.orig_tp.src; in ovs_ct_put_key()
332 orig.dst_port = output->ct.orig_tp.dst; in ovs_ct_put_key()
333 orig.ipv6_proto = output->ct_orig_proto; in ovs_ct_put_key()
337 return -EMSGSIZE; in ovs_ct_put_key()
350 new_mark = ct_mark | (READ_ONCE(ct->mark) & ~(mask)); in ovs_ct_set_mark()
351 if (READ_ONCE(ct->mark) != new_mark) { in ovs_ct_set_mark()
352 WRITE_ONCE(ct->mark, new_mark); in ovs_ct_set_mark()
355 key->ct.mark = new_mark; in ovs_ct_set_mark()
360 return -ENOTSUPP; in ovs_ct_set_mark()
378 * since the new connection is not yet confirmed, and thus no-one else has
389 master_cl = ct->master ? nf_ct_labels_find(ct->master) : NULL; in ovs_ct_init_labels()
396 return -ENOSPC; in ovs_ct_init_labels()
403 u32 *dst = (u32 *)cl->bits; in ovs_ct_init_labels()
407 dst[i] = (dst[i] & ~mask->ct_labels_32[i]) | in ovs_ct_init_labels()
408 (labels->ct_labels_32[i] in ovs_ct_init_labels()
409 & mask->ct_labels_32[i]); in ovs_ct_init_labels()
417 memcpy(&key->ct.labels, cl->bits, OVS_CT_LABELS_LEN); in ovs_ct_init_labels()
431 return -ENOSPC; in ovs_ct_set_labels()
433 err = nf_connlabels_replace(ct, labels->ct_labels_32, in ovs_ct_set_labels()
434 mask->ct_labels_32, in ovs_ct_set_labels()
439 memcpy(&key->ct.labels, cl->bits, OVS_CT_LABELS_LEN); in ovs_ct_set_labels()
450 err = nf_ct_handle_fragments(net, skb, zone, family, &key->ip.proto, &ovs_cb.mru); in ovs_ct_handle_fragments()
458 key->ip.frag = OVS_FRAG_TYPE_NONE; in ovs_ct_handle_fragments()
472 /* Once we've had two way comms, always ESTABLISHED. */ in ovs_ct_get_info()
473 if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) in ovs_ct_get_info()
475 if (test_bit(IPS_EXPECTED_BIT, &ct->status)) in ovs_ct_get_info()
481 * re-attributing statistics or modifying the connection state. This allows an
482 * skb->_nfct lost due to an upcall to be recovered during actions execution.
486 * On success, populates skb->_nfct and returns the connection. Returns NULL
526 h = &ct->tuplehash[!h->tuple.dst.dir]; in ovs_ct_find_existing()
542 * might be found for this skb. This happens when we lose a skb->_nfct in ovs_ct_executed()
543 * due to an upcall, or if the direction is being forced. If the in ovs_ct_executed()
547 *ct_executed = (key->ct_state & OVS_CS_F_TRACKED) && in ovs_ct_executed()
548 !(key->ct_state & OVS_CS_F_INVALID) && in ovs_ct_executed()
549 (key->ct_zone == info->zone.id); in ovs_ct_executed()
551 if (*ct_executed || (!key->ct_state && info->force)) { in ovs_ct_executed()
552 ct = ovs_ct_find_existing(net, &info->zone, info->family, skb, in ovs_ct_executed()
553 !!(key->ct_state & in ovs_ct_executed()
560 /* Determine whether skb->_nfct is equal to the result of conntrack lookup. */
579 if (!net_eq(net, read_pnet(&ct->ct_net))) in skb_nfct_cached()
581 if (!nf_ct_zone_equal_any(info->ct, nf_ct_zone(ct))) in skb_nfct_cached()
583 if (info->helper) { in skb_nfct_cached()
587 if (help && rcu_access_pointer(help->helper) != info->helper) in skb_nfct_cached()
590 if (info->nf_ct_timeout) { in skb_nfct_cached()
594 if (!timeout_ext || info->nf_ct_timeout != in skb_nfct_cached()
595 rcu_dereference(timeout_ext->timeout)) in skb_nfct_cached()
599 if (info->force && CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) { in skb_nfct_cached()
622 key->ct_state |= OVS_CS_F_SRC_NAT; in ovs_nat_update_key()
623 if (key->eth.type == htons(ETH_P_IP)) in ovs_nat_update_key()
624 key->ipv4.addr.src = ip_hdr(skb)->saddr; in ovs_nat_update_key()
625 else if (key->eth.type == htons(ETH_P_IPV6)) in ovs_nat_update_key()
626 memcpy(&key->ipv6.addr.src, &ipv6_hdr(skb)->saddr, in ovs_nat_update_key()
627 sizeof(key->ipv6.addr.src)); in ovs_nat_update_key()
631 if (key->ip.proto == IPPROTO_UDP) in ovs_nat_update_key()
632 src = udp_hdr(skb)->source; in ovs_nat_update_key()
633 else if (key->ip.proto == IPPROTO_TCP) in ovs_nat_update_key()
634 src = tcp_hdr(skb)->source; in ovs_nat_update_key()
635 else if (key->ip.proto == IPPROTO_SCTP) in ovs_nat_update_key()
636 src = sctp_hdr(skb)->source; in ovs_nat_update_key()
640 key->tp.src = src; in ovs_nat_update_key()
644 key->ct_state |= OVS_CS_F_DST_NAT; in ovs_nat_update_key()
645 if (key->eth.type == htons(ETH_P_IP)) in ovs_nat_update_key()
646 key->ipv4.addr.dst = ip_hdr(skb)->daddr; in ovs_nat_update_key()
647 else if (key->eth.type == htons(ETH_P_IPV6)) in ovs_nat_update_key()
648 memcpy(&key->ipv6.addr.dst, &ipv6_hdr(skb)->daddr, in ovs_nat_update_key()
649 sizeof(key->ipv6.addr.dst)); in ovs_nat_update_key()
653 if (key->ip.proto == IPPROTO_UDP) in ovs_nat_update_key()
654 dst = udp_hdr(skb)->dest; in ovs_nat_update_key()
655 else if (key->ip.proto == IPPROTO_TCP) in ovs_nat_update_key()
656 dst = tcp_hdr(skb)->dest; in ovs_nat_update_key()
657 else if (key->ip.proto == IPPROTO_SCTP) in ovs_nat_update_key()
658 dst = sctp_hdr(skb)->dest; in ovs_nat_update_key()
662 key->tp.dst = dst; in ovs_nat_update_key()
674 if (!(info->nat & OVS_CT_NAT)) in ovs_ct_nat()
676 if (info->nat & OVS_CT_SRC_NAT) in ovs_ct_nat()
678 if (info->nat & OVS_CT_DST_NAT) in ovs_ct_nat()
681 err = nf_ct_nat(skb, ct, ctinfo, &action, &info->range, info->commit); in ovs_ct_nat()
703 * Note that if the packet is deemed invalid by conntrack, skb->_nfct will be
722 .pf = info->family, in __ovs_ct_lookup()
725 struct nf_conn *tmpl = info->ct; in __ovs_ct_lookup()
732 nf_conntrack_get(&tmpl->ct_general); in __ovs_ct_lookup()
738 return -ENOENT; in __ovs_ct_lookup()
742 * the whole state, as it will be re-initialized below. in __ovs_ct_lookup()
744 key->ct_state = 0; in __ovs_ct_lookup()
762 * the key->ct_state. in __ovs_ct_lookup()
764 if (info->nat && !(key->ct_state & OVS_CS_F_NAT_MASK) && in __ovs_ct_lookup()
765 (nf_ct_is_confirmed(ct) || info->commit) && in __ovs_ct_lookup()
767 return -EINVAL; in __ovs_ct_lookup()
776 if (!nf_ct_is_confirmed(ct) && info->commit && in __ovs_ct_lookup()
777 info->helper && !nfct_help(ct)) { in __ovs_ct_lookup()
778 int err = __nf_ct_try_assign_helper(ct, info->ct, in __ovs_ct_lookup()
785 if (info->nat && !nfct_seqadj(ct)) { in __ovs_ct_lookup()
787 return -EINVAL; in __ovs_ct_lookup()
792 * - nf_conntrack_in() was executed above ("!cached") or a in __ovs_ct_lookup()
795 * - When committing an unconfirmed connection. in __ovs_ct_lookup()
798 info->commit) && in __ovs_ct_lookup()
799 nf_ct_helper(skb, ct, ctinfo, info->family) != NF_ACCEPT) { in __ovs_ct_lookup()
800 return -EINVAL; in __ovs_ct_lookup()
805 /* Be liberal for tcp packets so that out-of-window in __ovs_ct_lookup()
841 if (labels->ct_labels_32[i]) in labels_nonzero()
851 return &info->limits[zone & (CT_LIMIT_HASH_BUCKETS - 1)]; in ct_limit_hash_bucket()
861 head = ct_limit_hash_bucket(info, new_ct_limit->zone); in ct_limit_set()
863 if (ct_limit->zone == new_ct_limit->zone) { in ct_limit_set()
864 hlist_replace_rcu(&ct_limit->hlist_node, in ct_limit_set()
865 &new_ct_limit->hlist_node); in ct_limit_set()
871 hlist_add_head_rcu(&new_ct_limit->hlist_node, head); in ct_limit_set()
883 if (ct_limit->zone == zone) { in ct_limit_del()
884 hlist_del_rcu(&ct_limit->hlist_node); in ct_limit_del()
899 if (ct_limit->zone == zone) in ct_limit_get()
900 return ct_limit->limit; in ct_limit_get()
903 return info->default_limit; in ct_limit_get()
911 const struct ovs_ct_limit_info *ct_limit_info = ovs_net->ct_limit_info; in ovs_ct_check_limit()
915 conncount_key = info->zone.id; in ovs_ct_check_limit()
917 per_zone_limit = ct_limit_get(ct_limit_info, info->zone.id); in ovs_ct_check_limit()
921 connections = nf_conncount_count(net, ct_limit_info->data, in ovs_ct_check_limit()
922 &conncount_key, tuple, &info->zone); in ovs_ct_check_limit()
924 return -ENOMEM; in ovs_ct_check_limit()
943 /* The connection could be invalid, in which case this is a no-op.*/ in ovs_ct_commit()
952 &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); in ovs_ct_commit()
956 info->zone.id); in ovs_ct_commit()
970 if (info->have_eventmask) { in ovs_ct_commit()
974 cache->ctmask = info->eventmask; in ovs_ct_commit()
981 if (info->mark.mask) { in ovs_ct_commit()
982 err = ovs_ct_set_mark(ct, key, info->mark.value, in ovs_ct_commit()
983 info->mark.mask); in ovs_ct_commit()
988 err = ovs_ct_init_labels(ct, key, &info->labels.value, in ovs_ct_commit()
989 &info->labels.mask); in ovs_ct_commit()
995 labels_nonzero(&info->labels.mask)) { in ovs_ct_commit()
996 err = ovs_ct_set_labels(ct, key, &info->labels.value, in ovs_ct_commit()
997 &info->labels.mask); in ovs_ct_commit()
1005 return -EINVAL; in ovs_ct_commit()
1010 /* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero
1024 err = nf_ct_skb_network_trim(skb, info->family); in ovs_ct_execute()
1030 if (key->ip.frag != OVS_FRAG_TYPE_NONE) { in ovs_ct_execute()
1031 err = ovs_ct_handle_fragments(net, key, info->zone.id, in ovs_ct_execute()
1032 info->family, skb); in ovs_ct_execute()
1037 if (info->commit) in ovs_ct_execute()
1072 bool ip_vers = (info->family == NFPROTO_IPV6); in parse_nat()
1093 return -EINVAL; in parse_nat()
1100 return -EINVAL; in parse_nat()
1106 if (info->nat) { in parse_nat()
1108 return -ERANGE; in parse_nat()
1110 info->nat |= OVS_CT_NAT; in parse_nat()
1111 info->nat |= ((type == OVS_NAT_ATTR_SRC) in parse_nat()
1116 nla_memcpy(&info->range.min_addr, a, in parse_nat()
1117 sizeof(info->range.min_addr)); in parse_nat()
1118 info->range.flags |= NF_NAT_RANGE_MAP_IPS; in parse_nat()
1123 nla_memcpy(&info->range.max_addr, a, in parse_nat()
1124 sizeof(info->range.max_addr)); in parse_nat()
1125 info->range.flags |= NF_NAT_RANGE_MAP_IPS; in parse_nat()
1129 info->range.min_proto.all = htons(nla_get_u16(a)); in parse_nat()
1130 info->range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; in parse_nat()
1135 info->range.max_proto.all = htons(nla_get_u16(a)); in parse_nat()
1136 info->range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; in parse_nat()
1140 info->range.flags |= NF_NAT_RANGE_PERSISTENT; in parse_nat()
1144 info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM; in parse_nat()
1148 info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; in parse_nat()
1153 return -EINVAL; in parse_nat()
1159 return -EINVAL; in parse_nat()
1161 if (!info->nat) { in parse_nat()
1163 if (info->range.flags) { in parse_nat()
1167 return -EINVAL; in parse_nat()
1169 info->nat = OVS_CT_NAT; /* NAT existing connections. */ in parse_nat()
1170 } else if (!info->commit) { in parse_nat()
1174 return -EINVAL; in parse_nat()
1177 if (info->range.flags & NF_NAT_RANGE_MAP_IPS && !have_ip_max) { in parse_nat()
1178 memcpy(&info->range.max_addr, &info->range.min_addr, in parse_nat()
1179 sizeof(info->range.max_addr)); in parse_nat()
1182 if (info->range.flags & NF_NAT_RANGE_PROTO_SPECIFIED && in parse_nat()
1184 info->range.max_proto.all = info->range.min_proto.all; in parse_nat()
1226 return -EINVAL; in parse_ct()
1235 return -EINVAL; in parse_ct()
1240 info->force = true; in parse_ct()
1243 info->commit = true; in parse_ct()
1247 info->zone.id = nla_get_u16(a); in parse_ct()
1254 if (!mark->mask) { in parse_ct()
1256 return -EINVAL; in parse_ct()
1258 info->mark = *mark; in parse_ct()
1266 if (!labels_nonzero(&labels->mask)) { in parse_ct()
1268 return -EINVAL; in parse_ct()
1270 info->labels = *labels; in parse_ct()
1278 return -EINVAL; in parse_ct()
1291 info->have_eventmask = true; in parse_ct()
1292 info->eventmask = nla_get_u32(a); in parse_ct()
1296 memcpy(info->timeout, nla_data(a), nla_len(a)); in parse_ct()
1297 if (!string_is_terminated(info->timeout, nla_len(a))) { in parse_ct()
1299 return -EINVAL; in parse_ct()
1307 return -EINVAL; in parse_ct()
1312 if (!info->commit && info->mark.mask) { in parse_ct()
1315 return -EINVAL; in parse_ct()
1319 if (!info->commit && labels_nonzero(&info->labels.mask)) { in parse_ct()
1322 return -EINVAL; in parse_ct()
1327 return -EINVAL; in parse_ct()
1347 return ovs_net->xt_label; in ovs_ct_verify()
1365 return -EINVAL; in ovs_ct_copy_action()
1382 return -ENOMEM; in ovs_ct_copy_action()
1386 if (nf_ct_set_timeout(net, ct_info.ct, family, key->ip.proto, in ovs_ct_copy_action()
1393 nf_ct_timeout_find(ct_info.ct)->timeout); in ovs_ct_copy_action()
1399 key->ip.proto, ct_info.nat, &ct_info.helper); in ovs_ct_copy_action()
1412 __set_bit(IPS_CONFIRMED_BIT, &ct_info.ct->status); in ovs_ct_copy_action()
1429 if (info->nat & OVS_CT_SRC_NAT) { in ovs_ct_nat_to_attr()
1432 } else if (info->nat & OVS_CT_DST_NAT) { in ovs_ct_nat_to_attr()
1439 if (info->range.flags & NF_NAT_RANGE_MAP_IPS) { in ovs_ct_nat_to_attr()
1441 info->family == NFPROTO_IPV4) { in ovs_ct_nat_to_attr()
1443 info->range.min_addr.ip) || in ovs_ct_nat_to_attr()
1444 (info->range.max_addr.ip in ovs_ct_nat_to_attr()
1445 != info->range.min_addr.ip && in ovs_ct_nat_to_attr()
1447 info->range.max_addr.ip)))) in ovs_ct_nat_to_attr()
1450 info->family == NFPROTO_IPV6) { in ovs_ct_nat_to_attr()
1452 &info->range.min_addr.in6) || in ovs_ct_nat_to_attr()
1453 (memcmp(&info->range.max_addr.in6, in ovs_ct_nat_to_attr()
1454 &info->range.min_addr.in6, in ovs_ct_nat_to_attr()
1455 sizeof(info->range.max_addr.in6)) && in ovs_ct_nat_to_attr()
1457 &info->range.max_addr.in6)))) in ovs_ct_nat_to_attr()
1463 if (info->range.flags & NF_NAT_RANGE_PROTO_SPECIFIED && in ovs_ct_nat_to_attr()
1465 ntohs(info->range.min_proto.all)) || in ovs_ct_nat_to_attr()
1466 (info->range.max_proto.all != info->range.min_proto.all && in ovs_ct_nat_to_attr()
1468 ntohs(info->range.max_proto.all))))) in ovs_ct_nat_to_attr()
1471 if (info->range.flags & NF_NAT_RANGE_PERSISTENT && in ovs_ct_nat_to_attr()
1474 if (info->range.flags & NF_NAT_RANGE_PROTO_RANDOM && in ovs_ct_nat_to_attr()
1477 if (info->range.flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY && in ovs_ct_nat_to_attr()
1494 return -EMSGSIZE; in ovs_ct_action_to_attr()
1496 if (ct_info->commit && nla_put_flag(skb, ct_info->force in ovs_ct_action_to_attr()
1499 return -EMSGSIZE; in ovs_ct_action_to_attr()
1501 nla_put_u16(skb, OVS_CT_ATTR_ZONE, ct_info->zone.id)) in ovs_ct_action_to_attr()
1502 return -EMSGSIZE; in ovs_ct_action_to_attr()
1503 if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) && ct_info->mark.mask && in ovs_ct_action_to_attr()
1504 nla_put(skb, OVS_CT_ATTR_MARK, sizeof(ct_info->mark), in ovs_ct_action_to_attr()
1505 &ct_info->mark)) in ovs_ct_action_to_attr()
1506 return -EMSGSIZE; in ovs_ct_action_to_attr()
1508 labels_nonzero(&ct_info->labels.mask) && in ovs_ct_action_to_attr()
1509 nla_put(skb, OVS_CT_ATTR_LABELS, sizeof(ct_info->labels), in ovs_ct_action_to_attr()
1510 &ct_info->labels)) in ovs_ct_action_to_attr()
1511 return -EMSGSIZE; in ovs_ct_action_to_attr()
1512 if (ct_info->helper) { in ovs_ct_action_to_attr()
1514 ct_info->helper->name)) in ovs_ct_action_to_attr()
1515 return -EMSGSIZE; in ovs_ct_action_to_attr()
1517 if (ct_info->have_eventmask && in ovs_ct_action_to_attr()
1518 nla_put_u32(skb, OVS_CT_ATTR_EVENTMASK, ct_info->eventmask)) in ovs_ct_action_to_attr()
1519 return -EMSGSIZE; in ovs_ct_action_to_attr()
1520 if (ct_info->timeout[0]) { in ovs_ct_action_to_attr()
1521 if (nla_put_string(skb, OVS_CT_ATTR_TIMEOUT, ct_info->timeout)) in ovs_ct_action_to_attr()
1522 return -EMSGSIZE; in ovs_ct_action_to_attr()
1526 if (ct_info->nat && !ovs_ct_nat_to_attr(ct_info, skb)) in ovs_ct_action_to_attr()
1527 return -EMSGSIZE; in ovs_ct_action_to_attr()
1543 if (ct_info->helper) { in __ovs_ct_free_action()
1545 if (ct_info->nat) in __ovs_ct_free_action()
1546 nf_nat_helper_put(ct_info->helper); in __ovs_ct_free_action()
1548 nf_conntrack_helper_put(ct_info->helper); in __ovs_ct_free_action()
1550 if (ct_info->ct) { in __ovs_ct_free_action()
1551 if (ct_info->timeout[0]) in __ovs_ct_free_action()
1552 nf_ct_destroy_timeout(ct_info->ct); in __ovs_ct_free_action()
1553 nf_ct_tmpl_free(ct_info->ct); in __ovs_ct_free_action()
1562 ovs_net->ct_limit_info = kmalloc(sizeof(*ovs_net->ct_limit_info), in ovs_ct_limit_init()
1564 if (!ovs_net->ct_limit_info) in ovs_ct_limit_init()
1565 return -ENOMEM; in ovs_ct_limit_init()
1567 ovs_net->ct_limit_info->default_limit = OVS_CT_LIMIT_DEFAULT; in ovs_ct_limit_init()
1568 ovs_net->ct_limit_info->limits = in ovs_ct_limit_init()
1571 if (!ovs_net->ct_limit_info->limits) { in ovs_ct_limit_init()
1572 kfree(ovs_net->ct_limit_info); in ovs_ct_limit_init()
1573 return -ENOMEM; in ovs_ct_limit_init()
1577 INIT_HLIST_HEAD(&ovs_net->ct_limit_info->limits[i]); in ovs_ct_limit_init()
1579 ovs_net->ct_limit_info->data = in ovs_ct_limit_init()
1582 if (IS_ERR(ovs_net->ct_limit_info->data)) { in ovs_ct_limit_init()
1583 err = PTR_ERR(ovs_net->ct_limit_info->data); in ovs_ct_limit_init()
1584 kfree(ovs_net->ct_limit_info->limits); in ovs_ct_limit_init()
1585 kfree(ovs_net->ct_limit_info); in ovs_ct_limit_init()
1594 const struct ovs_ct_limit_info *info = ovs_net->ct_limit_info; in ovs_ct_limit_exit()
1597 nf_conncount_destroy(net, NFPROTO_INET, info->data); in ovs_ct_limit_exit()
1599 struct hlist_head *head = &info->limits[i]; in ovs_ct_limit_exit()
1606 kfree(info->limits); in ovs_ct_limit_exit()
1619 return ERR_PTR(-ENOMEM); in ovs_ct_limit_cmd_reply_start()
1621 *ovs_reply_header = genlmsg_put(skb, info->snd_portid, in ovs_ct_limit_cmd_reply_start()
1622 info->snd_seq, in ovs_ct_limit_cmd_reply_start()
1627 return ERR_PTR(-EMSGSIZE); in ovs_ct_limit_cmd_reply_start()
1629 (*ovs_reply_header)->dp_ifindex = ovs_header->dp_ifindex; in ovs_ct_limit_cmd_reply_start()
1654 if (unlikely(zone_limit->zone_id == in ovs_ct_limit_set_zone_limit()
1657 info->default_limit = zone_limit->limit; in ovs_ct_limit_set_zone_limit()
1660 zone_limit->zone_id, &zone))) { in ovs_ct_limit_set_zone_limit()
1668 return -ENOMEM; in ovs_ct_limit_set_zone_limit()
1670 ct_limit->zone = zone; in ovs_ct_limit_set_zone_limit()
1671 ct_limit->limit = zone_limit->limit; in ovs_ct_limit_set_zone_limit()
1677 rem -= NLA_ALIGN(sizeof(*zone_limit)); in ovs_ct_limit_set_zone_limit()
1699 if (unlikely(zone_limit->zone_id == in ovs_ct_limit_del_zone_limit()
1702 info->default_limit = OVS_CT_LIMIT_DEFAULT; in ovs_ct_limit_del_zone_limit()
1705 zone_limit->zone_id, &zone))) { in ovs_ct_limit_del_zone_limit()
1712 rem -= NLA_ALIGN(sizeof(*zone_limit)); in ovs_ct_limit_del_zone_limit()
1728 .limit = info->default_limit, in ovs_ct_limit_get_default_limit()
1766 if (unlikely(zone_limit->zone_id == in ovs_ct_limit_get_zone_limit()
1771 } else if (unlikely(!check_zone_id(zone_limit->zone_id, in ovs_ct_limit_get_zone_limit()
1780 net, info->data, zone, limit, reply); in ovs_ct_limit_get_zone_limit()
1784 rem -= NLA_ALIGN(sizeof(*zone_limit)); in ovs_ct_limit_get_zone_limit()
1809 head = &info->limits[i]; in ovs_ct_limit_get_all_zone_limit()
1811 err = __ovs_ct_limit_get_zone_limit(net, info->data, in ovs_ct_limit_get_all_zone_limit()
1812 ct_limit->zone, ct_limit->limit, reply); in ovs_ct_limit_get_all_zone_limit()
1825 struct nlattr **a = info->attrs; in ovs_ct_limit_cmd_set()
1828 struct ovs_net *ovs_net = net_generic(sock_net(skb->sk), ovs_net_id); in ovs_ct_limit_cmd_set()
1829 struct ovs_ct_limit_info *ct_limit_info = ovs_net->ct_limit_info; in ovs_ct_limit_cmd_set()
1838 err = -EINVAL; in ovs_ct_limit_cmd_set()
1859 struct nlattr **a = info->attrs; in ovs_ct_limit_cmd_del()
1862 struct ovs_net *ovs_net = net_generic(sock_net(skb->sk), ovs_net_id); in ovs_ct_limit_cmd_del()
1863 struct ovs_ct_limit_info *ct_limit_info = ovs_net->ct_limit_info; in ovs_ct_limit_cmd_del()
1872 err = -EINVAL; in ovs_ct_limit_cmd_del()
1891 struct nlattr **a = info->attrs; in ovs_ct_limit_cmd_get()
1895 struct net *net = sock_net(skb->sk); in ovs_ct_limit_cmd_get()
1897 struct ovs_ct_limit_info *ct_limit_info = ovs_net->ct_limit_info; in ovs_ct_limit_cmd_get()
1907 err = -EMSGSIZE; in ovs_ct_limit_cmd_get()
1981 if (nf_connlabels_get(net, n_bits - 1)) { in ovs_ct_init()
1982 ovs_net->xt_label = false; in ovs_ct_init()
1985 ovs_net->xt_label = true; in ovs_ct_init()
2003 if (ovs_net->xt_label) in ovs_ct_exit()